Have you ever had your credit card stolen, lost your wallet, or misplaced your social security card? Whether it has happened to you or not, you can imagine the pit of despair that settles in your stomach knowing that one malicious actor is all it takes to create dreadful issues in your life by misusing your information. The compulsion to protect your own credit cards and social security number has likely been engrained into your brain and safeguarding the information is second nature. What may surprise you, is that a valid set of payment card details is only worth a little over $5 on the black market and a social security number is only valued at around $0.50, according to a Trustwave Global Security Report. What is even more surprising is the value of a health care record – one record goes for around $250. Some comprehensive health care records may even be valued as high as $2,000!
The data clearly shows there is a large financial incentive for malicious actors to target the healthcare sector. The 2022 Annual Report to Congress on Breaches of Unsecured Protected Health Information showed 68% of breaches reported to the Office for Civil Rights that affected 500 or more individuals were from health care providers, which supports the fact that all health care providers should be taking action to ensure the safety and security of their protected health information (PHI).
The 2022 Annual Report to Congress also indicated 74% of those breaches were reportedly due to hacking/IT incidents of electronic equipment or a network server. The compulsion to protect the pharmacy’s electronic PHI (ePHI) needs to be as important to pharmacy personnel as protecting their own credit card information and social security number. The first step in that process is educating staff on cybersecurity. Whether you are the owner or an employee at a high-volume, multi-store pharmacy or a low volume, single-store independent pharmacy, your data is enticing to malicious actors and no pharmacy is safe from cyberattacks.
The IBM Cost of a Data Breach Report 2023 found that a malicious insider accounted for about 6% of the data breaches but was the most costly type of data breach, resulting in an annual cost of around $4.9 million dollars. Phishing and stolen or compromised credentials had an associated annual cost of $4.76 million and $4.62 million, respectively, but were more prevalent accounting for over 30% of the breach attack vectors. Additionally, only one in three organizations identified a breach using their organization’s own security team or tools—meaning, two out of three organizations had their breaches reported to them by law enforcement or the entity that unlawfully accessed their records (like when a ransom request was received to release their data). It also took an average of over 200 days from the date of the breach to identify that the breach occurred and another 73 days to contain the breach. Most pharmacies will take a full year to recover from a large data breach.
Rather than getting wrapped up in the financial and time-consuming repercussions of a large breach, be protective. Cybersecurity training is essential to protecting your business, your reputation, and your ePHI. Having a tailored policy and procedure for protecting ePHI is only as good as the staff that adhere to those policies and procedures. A single careless or negligent employee can be the weak link broken by bad actors and may be the end of the pharmacy’s good reputation…and hard-earned money.
PAAS Tips:
- Watch the PAAS National® webinar, Cybersecurity Considerations for Community Pharmacies located on the Member Portal
- Know the top threats facing healthcare cybersecurity:
- Network connected medical device security
- Insider accidental, or malicious data loss
- Loss or theft of equipment and data
- Ransomware
- Social engineering
- Understand the components, and importance of a HIPAA Security Risk Analysis
- Perform and accurate and thorough assessment of the potential risk and vulnerabilities to the confidentiality, integrity, and availability of the pharmacy’s ePHI
- Identify and implement reasonable and appropriate physical, technical, and administrative safeguards as required by the HIPAA Security Rule
- Know the terms
- Vulnerability – a flaw or weakness in system security procedures, design, implementation or internal controls
- Threat – the potential for a person or thing to exercise a specific vulnerability (natural, human, and environmental)
- Risk – a function of the probability that a threat will attack a vulnerability and the resulting impact to the organization
- PAAS’ FWA/HIPAA Compliance Program members can update their HIPAA Risk Analysis and complete Cybersecurity training on the PAAS Portal
Diabetic Test Strip Authorized Distributors
Independent pharmacies continue to receive threatening letters from LifeScan and an affiliated law firm on a monthly basis. These letters argue that pharmacies submitted more claims for LifeScan’s OneTouch® diabetic test strip products to PBMs than are supported by purchase history from authorized distributors. This is essentially an “invoice audit” conducted behind the scenes and pharmacies are not participants until they receive the negative results.
Additionally, these letters threaten to expose pharmacies to harm by withholding rebate dollars owed to PBMs and notify PBMs of the pharmacy’s “non-compliance” unless the pharmacy pays a large amount of money to make the issue “go away”.
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Ensuring Audit Readiness: What PBMs Look for in Signature Logs and Proof of Delivery
One of the most common questions PAAS National® receives from our members is: what are the requirements for audits when signature logs are requested. This article contains reminders and requirements auditors will be looking for to help ensure your pharmacy will be prepared.
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
2024 Self-Audit Series #5: Topical Prescriptions
Topical medications are easy audit targets, especially with the rising costs of some of these medications. The discrepancy that is commonly cited for topical medications is …
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
How to Safeguard Your Pharmacy from Fraudulent Electronic Prescriptions
PAAS National® has recently assisted pharmacies who received fraudulent electronic prescriptions from prescribers that had their electronic prescribing credentials hacked or stolen. There was a recent widespread e-prescription fraud reported earlier this year where criminals issued over 18,000 prescriptions to pharmacies in 18 states in just a 5-hour span.
Fraudulent prescriptions that are billed to the patient’s insurance are subject to full recoupment when audited by the PBM. Unfortunately, pharmacies will need to cooperate with the PBM audit process and prove that they were not willing participants by explaining their process of “due diligence” to authenticate the prescriptions. To offset the financial losses from PBM recoupment, pharmacies will need to lean on their business insurance or separately pursue legal action against the perpetrators.
Of course, it would be much better to avoid dispensing (and billing) these fraudulent prescriptions from the start. Although electronic prescriptions are generally safer than written or telephone prescriptions, they are still vulnerable to exploitation by criminals targeting unsuspecting pharmacies.
Here are some techniques to spot fraudulent electronic prescriptions at your pharmacy:
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
What’s New with Prescription Validation Requests in 2024?
In the PAAS National® January 2024 Newsline article PBM Validation Requests Rose 123% in 2023 – What You Need to Know, we discussed the PBM trends we saw in 2023. Below is a list of drugs reviewed and analyst comments that have been compiled through the first six months of 2024 for comparison.
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Proper Billing of Nayzilam® and Valtoco® Nasal Sprays
A subset of patients who experience seizures due to epilepsy suffer from seizure clusters, despite being on maintenance epilepsy medications. Nayzilam® and Valtoco® are both FDA-approved for the “acute treatment of intermittent, stereotypic episodes of frequent seizure activity (i.e., seizure clusters, acute repetitive seizures) that are distinct from a patient’s usual seizure pattern” in patients 12 years and older and 6 years and older, respectively. Regardless, if your patient is prescribed Nayzilam® or Valtoco®, the perplexing billing opens the door for easy recoupments from PBMs.
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
On-Demand Webinar: Cybersecurity Considerations for Community Pharmacies
On May 8, 2024, PAAS National® hosted a webinar: Cybersecurity Considerations for Community Pharmacies. PAAS Audit Assistance members have access to the recorded webinar, in addition to many other tools and resources on the PAAS Member Portal.
In a world where threats lurk around every digital corner, safeguarding sensitive information has never been more crucial. Recent events, such as the Change Healthcare cyberattack, serve as stark reminders of the pressing need for robust cybersecurity measures. In pharmacies, where compliance with regulations like HIPAA are of great importance, the stakes are higher than ever.
President of PAAS, Trent Thiede, discussed:
Should you have any questions, or need assistance getting access, call 608-873-1342 or email info@paasnational.com.
PAAS Tips:
The Different Cyclosporine Eye Drops That Could Cause Audit Trouble
Cyclosporine eye drops are used to increase tear production in individuals with certain eye conditions and dry eye disease. You are likely familiar with Restasis® and Restasis MultiDose®, but the newest cyclosporine product Vevye®, hit the market in late 2023.
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Independent Pharmacies are NOT Safe from Cyberattacks
Have you ever had your credit card stolen, lost your wallet, or misplaced your social security card? Whether it has happened to you or not, you can imagine the pit of despair that settles in your stomach knowing that one malicious actor is all it takes to create dreadful issues in your life by misusing your information. The compulsion to protect your own credit cards and social security number has likely been engrained into your brain and safeguarding the information is second nature. What may surprise you, is that a valid set of payment card details is only worth a little over $5 on the black market and a social security number is only valued at around $0.50, according to a Trustwave Global Security Report. What is even more surprising is the value of a health care record – one record goes for around $250. Some comprehensive health care records may even be valued as high as $2,000!
The data clearly shows there is a large financial incentive for malicious actors to target the healthcare sector. The 2022 Annual Report to Congress on Breaches of Unsecured Protected Health Information showed 68% of breaches reported to the Office for Civil Rights that affected 500 or more individuals were from health care providers, which supports the fact that all health care providers should be taking action to ensure the safety and security of their protected health information (PHI).
The 2022 Annual Report to Congress also indicated 74% of those breaches were reportedly due to hacking/IT incidents of electronic equipment or a network server. The compulsion to protect the pharmacy’s electronic PHI (ePHI) needs to be as important to pharmacy personnel as protecting their own credit card information and social security number. The first step in that process is educating staff on cybersecurity. Whether you are the owner or an employee at a high-volume, multi-store pharmacy or a low volume, single-store independent pharmacy, your data is enticing to malicious actors and no pharmacy is safe from cyberattacks.
The IBM Cost of a Data Breach Report 2023 found that a malicious insider accounted for about 6% of the data breaches but was the most costly type of data breach, resulting in an annual cost of around $4.9 million dollars. Phishing and stolen or compromised credentials had an associated annual cost of $4.76 million and $4.62 million, respectively, but were more prevalent accounting for over 30% of the breach attack vectors. Additionally, only one in three organizations identified a breach using their organization’s own security team or tools—meaning, two out of three organizations had their breaches reported to them by law enforcement or the entity that unlawfully accessed their records (like when a ransom request was received to release their data). It also took an average of over 200 days from the date of the breach to identify that the breach occurred and another 73 days to contain the breach. Most pharmacies will take a full year to recover from a large data breach.
Rather than getting wrapped up in the financial and time-consuming repercussions of a large breach, be protective. Cybersecurity training is essential to protecting your business, your reputation, and your ePHI. Having a tailored policy and procedure for protecting ePHI is only as good as the staff that adhere to those policies and procedures. A single careless or negligent employee can be the weak link broken by bad actors and may be the end of the pharmacy’s good reputation…and hard-earned money.
PAAS Tips:
Commercial Claims Reimbursed through Embedded GoodRx® Discount Cards
Pharmacies have been reaching out to PAAS National® with concerns about claims being reimbursed through an embedded discount card (e.g., GoodRx®) rather than a patient’s commercial insurance plan benefit. Most concerning is that these claims have negative remittances or “clawback fees” that reduce pharmacy revenue and may pose problems when trying to perform a Coordination of Benefits (COB) claim to a secondary payer, such as Medicaid.
PAAS wrote about Discount/Cash Cards being disruptors in the industry last March, after speaking at NCPA’s Multiple Locations Conference. The crux of the issue is discount cards have been gaining popularity (no thanks to GoodRx®) and have been effective at undermining the perceived benefit that PBMs are supposed to provide (i.e., why is GoodRx® able to offer a better price on my prescriptions than my insurance?). Consequently, major PBMs have embedded these discount card networks into the plan benefit design, which allows patient pay amounts to count towards deductibles (see press releases as follows).
While a pharmacy may have chosen to decline processing claims for GoodRx®, these newly embedded plans are not as easily identifiable (particularly in advance), and when they are, pharmacies can find themselves in a precarious situation. Contractually, pharmacies should not …
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips: